Threat actor

The BlackShadow hacking group attacked the Israeli hosting provider Cyberserve to steal client databases and disrupt the company’s services.

Cyberserve is an Israeli web development firm and hosting company used by various organizations, including local radio stations, museums, and educational institutions.

Attacking many victims at once

Starting Friday, when attempting to access websites hosted at Cyberserve, visitors were met with website errors or messages that the site was inaccessible due to a cybersecurity incident.

Dan Bus outage message
Dan Bus outage message

A hacking group known as BlackShadow claimed responsibility for the attack on Cyberserve and is extorting the hosting company and its customers by demanding $1 million in cryptocurrency not to leak stolen data.

The deadline for this extortion demand was set for 48 hours, starting on Saturday, but the actors almost immediately leaked a sample of 1,000 records to prove their point.

Included in the data theft is a database containing the personal information of a large LGBT site named ‘Atraf,’ which makes the security incident quite dire.

Exposing LGBT people who live in conservative societies puts them at significant risk, both physically and psychologically.

“Atraf’s team did not contact us for any deal’s yet so we collected 50 famous israeli that were surfing and we leak their video’s,” threatended the hacking group on Telegram.

At the time of writing this, many of the websites hosted at CyberServe are inaccessible, including Atraf, indicating that the company is still responding to the attack.

Other websites affected by this attack are:

  • The Kavim (Dan Bus) public transportation firm.
  • The Kan public broadcaster.
  • The Pegasus travel agency.
  • The Holon Children’s Museum.

The National Cyber Directorate told The Times of Israel that they had warned CyberServe about an imminent cyber attack several times in the previous days.

It is unclear if Cyberserve ignored these warnings or could not find the security vulnerability used by the threat actors.

Politically motivated

BlackShadow is an Iranian state-sponsored hacking group that has confirmed links to the Pay2Key ransomware strain that has been repeatedly deployed against Israeli targets. 

However, unlike typical ransomware attacks, the threat actors behind BlackShadow are not believed to be financially motivated.

Omri Segev Moyal, co-founder & CEO of Israeli cybersecurity firm Profero, told Bleeping Computer that attacks by these hacking groups are retaliatory and designed to disrupt Israeli interests.

“The recent attacks from the so-called ‘BlackShadow’ are just another cycle of the clandestine Iran-Israeli war. It’s a well-constructed InfoOp combined with very weak hacking skills to hurt Israel. We assume the current cycle is also in retaliation for the attack against the gas pumps in Iran last week.” – Omri Segev Moyal.

Last year, the group extorted the Israeli insurance company’ Shirbit,’ demanding a payment of $1 million in Bitcoin and threatening to leak stolen data.